there are two problems with that. first, people tend to forget what they
don’t rehearse. and second, the constant pace of technological and business
changes will render almost any plan useless within a couple of years if you
don’t frequently update it.

“Whatever you decided to do two years ago — do you still have the appropriate levels of technology to make it happen?” asks terry assink, group vice
president at brand Velocity. “Have you changed things, upgraded things or
moved functions elsewhere such that your plan isn’t valid anymore?” many
organizations today have a model that’s different from what they once had,
with fewer functions and less data on-site and more data residing in the
cloud. the effect is that a local crisis that interrupts communications and/or
power will pose a different set of problems than it would have in the past.

In particular, assink notes, the importance of maintaining an Internet con-

When Did You LastPractice Your Plan?

nection has grown dramatically in the recent past. “We used to think aboutthe internal network and the outside network, and the outside one had asecondary role,” he says. “now, they each have the same level of impor-tance. a lot of the collaboration that goes on between employees and withpartners and customers is conducted over the Internet today.”In addition to reviewing your business continuity plan at least once ayear, you should also practice it at least as often. communications providerorange business services engages in unannounced audits to test businesscontinuity plans at each of its support centers. the company conducted justsuch a test at its cairo location about a week before the egyptian uprisingstarted, curfews were imposed, and the government cut off sms and Inter-net communications. With a well-rehearsed plan in place, orange was able toswiftly move disrupted support functions to its other centers in India, braziland mauritius, and then smoothly return them to cairo nine days later, afterthe Internet was restored and relative calm had returned.

International sos practices its business continuity and disaster recoveryplans at each of its 70 worldwide locations at least once every six months,according to michael shea, executive vice president for It. “one thing we re-alized when we first started doing this is that the first time we practice some-thing, we are horrible at it,” he says. “When we go to set up a data center at adisaster recovery site, whether hot, warm or cold, it never goes well the firsttime. We need at least two practices to do it smoothly. so if we practice onceevery six months, it takes us at least a year to get good at it.”— mInda ZetlIn

Getting an answer proved challenging. First, there was no singlestaff directory that covered the entire company and was kept up todate with ongoing staff changes. Nor was there a single directory ofevery person’s location and contact information. Second, even if itexisted, such a directory would not have included contractors, whononetheless fit within the CEO’s definition of “our people.”Third, there was no central record of which London employ-ees were on vacation, on leave or traveling that day, or — moreworrisome — which employees from other locations might bevisiting London. And finally, even for those employees who wereknown to be in London and for whom the company had ad-dresses and phone numbers, it was hard to make contact.

“Transportation was disrupted, cellphone service was down,
SMS was down, and it was very unclear for most of the day just
what had happened,” recalls Andrew Marshall, director of Con-sultifi, which helps companies understand business risks.

The company’s HR and IT departments weren’t able to provide a timely
answer to the CEO’s questions, he says.
“It turned into a conversation that
involved philosophy and technology as
well as HR,” Marshall notes.

There are several lessons any I Tleader can draw from this tale. First,there’s no such thing as a safe location:Disruptions can happen anywhere.Second, it’s important to have a planthat spells out what everyone’s respon-sibilities will be and includes all theinformation you’ll need. And finally,systems, because “normal” methods of communication will likelyfail — especially mobile, which is quickly overwhelmed by the spikein local demand that takes place during any crisis.

Concerns About Crisis events Grow

It would be impossible to think about events of the past 12 months
without having at least a few qualms over systems, data and employees, especially those outside the U.S., and the possible effect of
local unrest, epidemics, earthquakes or other hazards. Indeed, in
a 2010 survey of the 100 largest technology companies, 55% of executives reported worrying about “natural disasters, war, conflicts
and terrorist attacks.” When the same executives were again asked
that question in 2011, that percentage rose to 81%.